De Brauw

Privacy and Cookie Statement

Privacy and cookie statement of www.debrauw.com

This is the privacy statement of De Brauw Blackstone Westbroek N.V., based at Claude Debussylaan 80, 1070 AB in Amsterdam. We explain how De Brauw uses personal data when you apply for a job, when we provide legal services, when you act as a supplier to De Brauw and when we use contact data in our CRM system. If you have questions about how De Brauw uses your data, please contact our data protection officer via DPO@debrauw.com. This privacy statement dates from16 December 2019and may be changed over time.

Contents

Who is responsible for the use of my data?

When I visit the website, which data do you collect, for what purpose do you use this data, and for how long do you store it?

What cookies do you use, and for what purpose?

When I apply for a job at De Brauw, which data do you use, for what purpose do you use this data, and for how long do you store it?

When I provide goods or services to De Brauw, which data do you collect, for what purpose do you use this data, and for how long do you store it?

What data do you store in your CRM system, for what purpose do you use this data, and for how long do you store it?

How do you secure my data?

How do you share my data outside the EU?

What happens when you get an order to disclose personal data?

To whom can I address my questions and requests for inspection, correction and removal of my personal data, and what other rights do I have?

1. Who is responsible for the use of my data?
De Brauw is the sole controller when you visit our websites, when we handle job applications, when we use contact data in our CRM system, and when you provide us with goods or services,. However, De Brauw often considers itself to share responsibility as controller with the client when we provide legal services. We normally agree with the client that De Brauw and the client can each deal with requests from individuals exercising their privacy rights (seehere). In certain exceptional cases – for example, in specific due diligence work – the client is the sole controller and De Brauw is the processor. When you use our client portal Connect, for some applications the client may be the controller and De Brauw the processor. Where applicable, we will then conclude a data processing agreement with the client. If we are the processor, and you contact us with a privacy-related question, we will refer you to the organisation that is the controller.

2. When I visit the website, which data do you use, for what purpose do you use this data, and how long do you store it?
De Brauw has multiple websites:

For all these websites and site-based apps, we collect usage data: your IP address, the pages you visit, when you visit those pages, and (where applicable) the previous/subsequent site you visit. We use this data for various reasons, including: to generate usage statistics; to provide for (additional) functionality on the sites; to manage the sites by resolving any technical faults or improving accessibility to certain parts of the sites; and safeguarding the security of our IT systems. We retain this data for 12 days, unless stated otherwise. We process this data to ensure that you can visit a functional and secure websites and apps. We use an external hosting provider to serve the websites and apps, except for ECC, which we host ourselves. This means that for those websites where we use a hosting provider, the personal data collected when you visit our website will be transferred to the hosting provider (as a processor). Our Dawn Raids app does not collect any information from your device.

Our client and local counsel websites mentioned above also allow you to create an account. If you decide to create an account, we will collect your email address and your password. We use this data to register you with our website and provide you with access to the website. We use your email address to restore your password and to send you updates about our service. Some of the websites also process further data about you for additional purposes:

ForConnect: for some users, we automatically add the organisation you work for. You can add more information to your profile, such as your bio and a picture. By doing so, if you are a flexpooler, we know for what engagements we could contact you. We make this profile data also available to others on the platform. By doing so, we for example know for what engagements we could contact you. In addition to the usage data mentioned above, we also collect the access type (Download, View, Print). We retain usage data for 1 year.

ForECC: we use your email address to remind you to submit fee updates. For all our client and local counsel websites, we process this data on the basis of our interest to perform our services as agreed with our client. For Connect, we retain this data for as long as you have an account with us. For ECC, we retain this data for seven years after the data was submitted.

3. What cookies do you use, and for what purpose?
When you visit a website of De Brauw, cookies are placed on your computer. De Brauw uses two types of cookies:

Necessary cookies: De Brauw uses a cookie in order to offer the website’s basic functionality and to remember your cookie settings. This cookie is called _gat. It is stored for 26 months.

Cookies for analytics: De Brauw uses cookies to generate anonymous user statistics to make our websites more user-friendly. We do this through Google Analytics, a web analysis service offered by Google Inc. (Google). Google uses aggregated statistical information to provide De Brauw with an understanding of how visitors are using our websites. To protect your privacy, we have configured Google Analytics to only store part our visitors’ IP address and to not share data with others. Google may only provide this information to third parties if it has a statutory duty to do so or to the extent that the third parties are processing the information on Google’s behalf. We have signed a data processor agreement with Google. We use the following cookies for this purpose: _ga and _gid. These are stored for 26 months.

If you want, you can turn off Google Analytics tracking for debrauw.com : On Off

When you visit Connect, we use the following cookies: (i) DWRSESSIONID and cfusi for security purposes, stored during the session, (ii) FK, dwp and rsu for authentication purposes, FK stored for 1 day, dwp and rsu stored for 100 days and (iii) ROUTEID to improve performance, stored during the session

4. When I apply for a job at De Brauw, which data do you use, for what purpose do you use this data, and for how long do you store it?

When you apply for a job at De Brauw viacareersatdebrauw.comordebrauw-thebrewery.nl, or when you apply for a student master class atmasterclassthedeal.nlordebrauw360.com, you will be forwarded to the job application platform, connexys.com. You will then be asked to provide certain personal information. If you provide us with a link to your LinkedIn profile, we will also add the profile information to your application. You may be asked to provide further information in follow-up correspondence with us.

We use this data: to assess your suitability for the position, to safeguard our internal control and security, to comply with legal obligations, and to handle requests for reimbursement of your expenses. We also use the information to determine your employment terms. We process this data to ensure that we find suitable candidates for our vacancies, or – in the case of identity documents and certificates of conduct – because we have a legal obligation to do so.

If you have applied to work at De Brauw and you have been hired, the data will be added to your employee file and retained for seven years after you leave De Brauw. If you have been accepted to one of our student events, the data will be stored for two years. If your application has been rejected, the data will be retained for a period of four weeks after our decision, unless you give us permission to use your personal data to inform you of any suitable vacancy or position in the near future. In that case, we will retain your data for one year.

The job application platform is provided by Connexys B.V. as processor.

For some job applications, we will ask Pearson Benelux B.V. or LTP Advies B.V. as processors to perform an assessment. We will provide some of the information you submitted to us, including your name and CV, to the assessment firm. We store the outcome of the assessment, together with the other data you provided to us, and retain this for the same periods (see above). We also use The Selection Lab B.V. for assessments.

5. When you provide legal services, which data do you use, for which purpose do you use this data, and for how long do you store it?
De Brauw is generally engaged for investigations, litigation and corporate matters. In the course of providing those services, we process personal data of different categories of people. These include clients, clients’ contact persons, witnesses, experts, counterparties, counterparties’ contact persons, counterparties’ lawyers and advisors, and persons whose personal data forms part of a file. In particular:

When we assist in litigation and perform investigations, we may search for relevant information in files provided by our clients or another party. We may use this information, including personal data, in documents drafted by us as part of our services. For litigation, this includes investigating and preparing court documents. For investigations, this includes reporting to a client on its compliance with the law.

When we are engaged as counsel in corporate matters, we may set up or review a data room, which often contains personal data – for example, about employees. Or we might be asked to provide advice on corporate governance, which often involves analysing documents containing personal data. Sometimes we incorporate that information in documents drafted by us, such as reports or contracts. We do this to effectively provide legal services to our client, including by the preparing of -, and advising on, a transaction involving the acquisition or restructuring of a company.

We also process some of the personal data mentioned above for internal knowhow purposes. For example, we store relevant files (after attempting to remove most personal data) and some of our interactions with others, such as, representatives of supervisory authorities attorneys and judges, in our internal knowhow repository, to retrieve this information at a later date.

We do this processing on the basis of our clients’ legitimate interest in establishing, exercising and defending their legal rights, on the basis of our own commercial interest to offer high quality professional services and we may also do this because we are legally obliged to.

We will also use the contact details (name, address, email address) of our client (or their contact person) to send invoices. We do this to enable us to collect fees for our services, as part of the performance of the agreement between us and our client.

Lastly, we store this data to allow for a possible audit by the Netherlands Bar Association or the Royal Dutch Association of Civil-law Notaries. We do this because we are legally obliged to.

We retain our files for 20 years after the matter is closed, unless we are required by law to retain the files for a longer period of no more than 30 years (for example, in certain environmental cases). After this period, we will offer to return original documents which were provided by the client, and we will securely destroy all files. For notarial files, the retention periods prescribed by law apply.

Prior to most engagements, we collect certain information to verify the identity of the client, in order to comply with anti-money laundering legislation and legislation governing Dutch legal professions. De Brauw is obliged to report unusual transactions to the Financial Intelligence Unit (FIU-Nederland). In that case, De Brauw must also provide the information it collected. De Brauw retains this information for a period of five years after the termination of the relationship or the performance of the transaction, unless this information has become part of a matter, in which case it is retained as long as the file of the matter is retained.

Sometimes, we share information processed in the course of providing services, including with lawyers from other firms, other advisors to clients, and courts. But only if this is possible within the boundaries of the strict confidentiality imposed on lawyers and notaries. In some cases, this is because you have given us permission, and in other cases, this is because our clients have a legitimate interest in establishing, exercising or defending their legal rights.

6. When I provide goods or services to De Brauw, which data do you use, for what purpose do you use this data, and for how long do you store it?

When you or your employer does business with us, we will collect certain data about you. Often this information, such as your name, email address and position, is provided by yourself in the course of doing business with us. Part of it might be derived from the order documents: we register what services or goods are provided, and payment details. And, sometimes, we will ask for other information, such as a certificate of conduct. If you are a freelancer, we will also store the contract we have with you. We use this information to process and handle incoming invoices, to book invoices on matters in order to bill these to clients, to create a balance sheet and an overview of profits and losses, to file tax returns, to create internal financial reports, and to arrange for an audit by an accountant.

The basis for the handling of invoices is the performance of our contract with you, or because we have a legitimate interest in performing the contract with your employer. The basis for booking the incoming invoices to clients is the interest in charging our clients for the services provided. The basis for creating a balance sheet and an overview of profits and losses, and to create internal reports on finances, is because we are legally obliged to do so and because we have an interest in administering our finances. The filing of tax claims and the performing of an audit by account is done because we are legally obliged to do so. We retain invoices we receive and the contracts with suppliers, including contact details of suppliers, for a minimum of seven years.

7. What data do you store in your CRM system, for what purposes do you use this data, and for how long do you store it?

De Brauw uses a company-wide system to keep track of its contacts. For most persons, we store the name, email address, phone number, job title and work history (e.g., for which organisation did someone work or is now working). We sometimes also store additional information about someone, such as the industry he or she works in, gender, mailing language, areas of interest, home address, birthday, spouse/partner’s name, hobbies, and other personal notes. We also keep track of the mailings we send to this person. For alumni, we note when someone has left the firm. If, in the past, you have been a client of De Brauw, were subscribed to our newsletters, or have worked with De Brauw, your records are probably in this system.

We use this data to address you personally and ensure that persons within the firm communicating with you know your relevant personal details. We also use this data to get a better overview of your network, the company you work for and its market(s). Lastly, we use this to send you newsletters, updates about our firm and invitations to our events. If you are not yet a subscriber, you can subscribe by sending an email toinfo@debrauw.com. You can always unsubscribe from receiving newsletters or change your preferences by sending an email to the same address. We use your data on the basis of our interest in building and maintaining our network of personal contacts. We delete your data if it has not changed in 36 months and you have not received a mailing via our CRM-system during this period.

8. How do you secure my data?

De Brauw takes office-wide security measures as part of its information security framework. Technical measures include the use of access controls, firewalls, network segmentation, virus scanners, traffic monitoring, penetration tests, and encryption of laptops, phones and USB-sticks. Organisational measures include a clear screen policy, confidentiality provisions, screening of personnel, privacy and security training and awareness, and implementing controls in contracts with suppliers. The IT-department of De Brauw is ISO 27001-certified, which demonstrates that it has implemented its information security measures according to internationally acknowledged standards. De Brauw has an Business Information Security Officer responsible for the development and implementation of the information security policy.

9. How do you share data outside the EU?

In addition to its headquarters in Amsterdam, De Brauw has offices in Brussels, Frankfurt, London, Shanghai, and Singapore. De Brauw has concluded standard contractual arrangements for the international transfer of data with its offices in Shanghai and Singapore (so-called controller-to-controller standard contractual clauses, which can be foundhere). In circumstances where De Brauw transfers personal data to other parties, in those countries outside of the EU/EEA without an adequacy decision, transfer is usually necessary for the establishment, exercise or defence of legal claims. Otherwise, De Brauw will ensure that it provides appropriate safeguards for this transfer in accordance with the GDPR.

10. What happens when you receive an order to disclose personal data?

While this is unlikely, we may be required to disclose personal data by a court order or to comply with other legal or regulatory requirements. We will do everything we reasonably can to notify the persons involved before we disclose these data, unless we are legally restricted from doing so.

11. To whom can I address my questions and requests for inspection, correction and removal of my personal data, and what other rights do I have?

You are entitled at any time to request inspection, correction, removal or restriction of the processing of your personal data by De Brauw. In addition, in some cases you have the right to receive your data in a structured format (i.e., data portability). Please send your request, as well as other privacy-related questions you might have, to De Brauw’s Data Protection Officer at dpo@debrauw.com. Finally, you also have the right to lodge a complaint with the Dutch data protection authority (theAutoriteit Persoonsgegevens).